In the aftermath of the financial crises, it would seem fair to presume that risk management functions now have higher visibility, authority and influence. However, a recent report “Too good to fail” issued by Economist Intelligence Unit covering financial institutions and insurance companies shows contrary results. The report indicates that only one-half of the respondents say that risk management function has gained authority. The other half state it has remained the same or declined. Nearly 35% state poor communication between departments as one of the key barriers to risk management. Lastly, progress on revamping and strengthening risk management departments has slowed down. The graph below points out the problem areas:
This graph to me shows that risk managers didn’t properly leverage the lessons learnt from the economic crises and have failed to make a long-term improvement. Risk managers in financial institutions are the best of the breed and still failed to cut ice with business teams. While CFOs have entrenched themselves in the boardrooms, CROs still face a daunting road ahead. Hence, the most difficult question that most risk managers face today is – how to build a risk management function valued by board and business teams.
I was reading Jim Collins book “Good to Great” in which he has developed a framework for transforming good to great companies. I contemplated on ways to apply the framework to risk management function. It was worthwhile exploring the idea and here are some of my thoughts on it. Hope you find them useful.
1. Level 5 Leadership
The book mentions that at the time of transition of a company from good to great category, the CEO was a level 5 leader. Two main traits – personal humility plus professional will – identify a level 5 leader. The level 5 leader puts organization goals before personal agendas. In contrast the level 4 leader shows the big dog syndrome; an egocentric drive for personal greatness with the organization becoming a monument to their ego.
In my view, in most organizations risk management function is in a transition stage. It needs to make that big leap to become a primary business partner. To do so, CROs and other heads of risk management department need to become Level 5 leaders. Secondly, to be successful they need to have their second-in-commands and/or successors also to have level 5 leadership skills. In short, replace the “I” with “We” to collaborate with business teams.
2. First Who, Then What
Jim Collins has aptly summarized the importance of right people – “If we get right people on the bus, the right people on the right seats and the wrong people off the bus, then we will figure out how to make it someplace great”.
I think most of the risk management functions suffer because of lack of appropriately skilled resources. For example, in India risk managers are technically good however lack communication skills. In the EIU report, Neil Owen regional director at Robert Half Financial Services Group, a recruitment consultancy, hit the nail on the head by saying – “A high-performing risk team will be made up of individuals with different strengths—both commercial and technical”
The message is clear, get the right skill set mix in the team and structure the department appropriately. Break the silos between different risk management functions to give accurate, timely and summarized information to business teams.
3. Confront the Brutal Facts
Risk managers crib list is quite long. It goes – CEO doesn’t give us time, board ignores us, business teams don’t listen to us and on and on. The gist of it is risk managers are blaming everybody else and are not looking in the mirror for their own shortcomings. The irony is that while risk managers find shortcomings and problems in business, they are unable to see their own reality. The graph below depicts the barriers to risk management.
Risk managers must initiate dialogue and debates to identify brutal facts without playing a blame game. As mentioned in the book, adopt “The Stockdale Paradox – Retain faith that you will prevail in the end, regardless of difficulties and at the same time confront the most brutal facts of your reality, whatever they might me.”
4. Hedgehog Concept
In the next step Collins wrote -“The fox knows many things, but the hedgehog knows one big thing.” According to him, people with hedgehog traits “simplify a complex world into a single organizing idea, a basic principle or concept that unifies and guides everything” He has further defined the hedgehog strategy as intersection of three circles –“ what are you deeply passionate about, what drives your economic engine and what can you be the best in the world at.”
In my view, this is the crucial bit where risk managers are missing the point. As the EIU report states, just 60% of the respondents have a clearly defined risk management strategy. Now these may or may not be addressing the strategic risks of the organization.
Hence, risk management functions need to develop a hedgehog strategy with everything else falling in place around one simple idea. To give a clue, they are passionate about risk management, need to align the strategy to economic drivers of the business and identify the risks to ensure that the organization is best in the world in its area.
5. Culture of Discipline
Collins explained the culture of discipline using the analogy of an airline pilot. A pilot has freedom and responsibility within a framework of highly developed system. Regardless of the information and guidance from ground control room, the pilot has the ultimate responsibility for the safety of the passengers.
Developing a risk culture within the organization is similar. As Professor Board of Henley Business School stated in the EIU report – “The business should be in a position where it’s not taking gratuitous risks and doesn’t want to do so. Ideally, there should be an autonomous, risk-aware culture in the business that requires only limited intervention from the risk function.”
I have said before and am repeating it again, building a risk aware culture within the organization is of paramount importance. Risk managers need to train business teams to have the discipline to formally identify risks for each decision and mitigate the same. If it is outside business teams experience or bandwidth, the risk managers must hand hold the teams.
6. Technology Accelerators
I really appreciate Collins insight on use of technology in organizations. He summarized it as follows – “How a company reacts to technological change is a good indicator of its inner drive for greatness versus mediocrity. Great companies respond with thoughtfulness and creativity, driven by a compulsion to turn unrealized potential into results, mediocre companies react and lurch about, motivated by fear of being left behind.”
On the other hand, the EIU report states the following – “Despite this continuing investment in data and IT, the problems are far from being addressed. Most institutions have a patchwork of systems, often as a legacy of mergers and acquisitions, which are incompatible with each other.”
The CROs problem is clearly identified – with multiple platforms and systems it is hard to get accurate data to identify risks in a timely manner. The alternative is that CROs invest in risk management software and systems that facilitate in identifying and managing risks. Some CROs are still slow in investing in technology and this mindset needs to be changed.
Collins captured the transformation of good to great companies in the following words –
“No matter how dramatic the end result, the good-to-great transformations never happened in one fell swoop. There was no single defining action, no grand program, no one killer innovation, no solitary lucky break, no wrenching revolution. Good to great comes about by cumulative process- step by step, action by action, decision by decision, turn by turn of the flywheel – that adds up to a sustained and spectacular results.”
In one line, risk managers need to adopt this motto to transform risk management function from good to great.